cloudflare · soheiokamoto · Jun 24, 2026
@@ -0,0 +1,18 @@
+---
+title: New WebSocket Analytics Logpush dataset and updated fields
+description: The WebSocket Analytics Logpush dataset is now available, the Firewall events dataset is now available for account-scope Logpush, and new fields have been added to Email Security Alerts.
+date: 2026-06-24
+---
+
+Cloudflare has updated [Logpush datasets](/logs/logpush/logpush-job/datasets/):
+
+### New datasets
+
+- **WebSocket Analytics**: A new dataset with fields including `BytesReceivedClient`, `BytesReceivedOrigin`, `BytesSentClient`, `BytesSentOrigin`, `ClientASN`, `ClientIP`, `ClientRequestHost`, `ClientRequestPath`, `ClientRequestUserAgent`, `ColoCode`, `ConnectionCloseReason`, `ConnectionCloseSource`, `ConnectionID`, `ConnectionTransportCloseCode`, `EdgeEndTimestamp`, `EdgeStartTimestamp`, and `RayID`.
+
+### Updated fields in existing datasets
+
+- **Firewall events** (added): `ZoneName`. The Firewall events dataset is now also available for [account-scope Logpush](/logs/logpush/logpush-job/datasets/account/firewall_events/), in addition to the existing zone scope.
+- **Email Security Alerts** (added): `BCC`, `DKIMResult`, `DMARCPolicy`, `DMARCResult`, and `SPFResult`.
+
+For the complete field definitions for each dataset, refer to [Logpush datasets](/logs/logpush/logpush-job/datasets/).
@@ -27,6 +27,12 @@ Type: `array[object]`
 
 List of objects containing metadata of attachments contained in this message (for example, [{"Md5": "91f073bd208689ddbd248e8989ecae90", "Sha1": "62b77e14e2c43049c45b5725018e78d0f9986930", "Sha256": "3b57505305e7162141fd898ed87d08f92fc42579b5047495859e56b3275a6c06", "Ssdeep": "McAQ8tPlH25e85Q2OiYpD08NvHmjJ97UfPMO47sekO:uN9M553OiiN/OJ9MM+e3", "Name": "attachment.gif", "ContentTypeProvided": "image/gif", "ContentTypeComputed": "application/x-msi", "Encrypted": true, "Decrypted": true}, ...]).
 
+## BCC
+
+Type: `array[string]`
+
+Email address portions of the BCC header provided by the sender, if present (for example, 'firstlast@cloudflare.com').
+
 ## CC
 
 Type: `array[string]`
@@ -39,6 +45,24 @@ Type: `array[string]`
 
 Email address portions of the CC header provided by the sender (for example, 'First Last').
 
+## DKIMResult
+
+Type: `string`
+
+Summary of the DKIM authentication result for the message. <br />Possible values are <em>pass</em> \| <em>neutral</em> \| <em>fail</em> \| <em>error</em> \| <em>permerror</em> \| <em>temperror</em> \| <em>none</em>.
+
+## DMARCPolicy
+
+Type: `string`
+
+Effective DMARC policy for the sending domain. <br />Possible values are <em>none</em> \| <em>quarantine</em> \| <em>reject</em> \| <em>undefined</em>.
+
+## DMARCResult
+
+Type: `string`
+
+Overall DMARC authentication result for the message. <br />Possible values are <em>pass</em> \| <em>fail</em> \| <em>none</em>.
+
 ## FinalDisposition
 
 Type: `string`
@@ -141,6 +165,12 @@ Type: `string`
 
 Hostname provided by the SMTP HELO server.
 
+## SPFResult
+
+Type: `string`
+
+Summary of the SPF authentication result for the message. <br />Possible values are <em>pass</em> \| <em>neutral</em> \| <em>fail</em> \| <em>softfail</em> \| <em>permerror</em> \| <em>temperror</em> \| <em>none</em>.
+
 ## Subject
 
 Type: `string`

@@ -0,0 +1,274 @@
+---
+# Code generator. DO NOT EDIT.
+
+title: Firewall events
+pcx_content_type: configuration
+sidebar:
+  order: 21
+---
+
+The descriptions below detail the fields available for `firewall_events`.
+
+## AISecurityInjectionScore
+
+Type: `int`
+
+The score indicating the likelihood of a prompt injection attack in the request, as determined by AI Security.
+
+## AISecurityPIICategories
+
+Type: `array[string]`
+
+List of PII categories detected in the request by AI Security.
+
+## AISecurityTokenCount
+
+Type: `int`
+
+The number of tokens in the request, as counted by AI Security.
+
+## AISecurityUnsafeTopicCategories
+
+Type: `array[string]`
+
+List of unsafe topic categories detected in the request by AI Security.
+
+## Action
+
+Type: `string`
+
+The code of the first-class action the Cloudflare Firewall took on this request. <br />Possible actions are <em>unknown</em> \| <em>allow</em> \| <em>block</em> \| <em>challenge</em> \| <em>jschallenge</em> \| <em>log</em> \| <em>connectionclose</em> \| <em>challengesolved</em> \| <em>challengebypassed</em> \| <em>jschallengesolved</em> \| <em>jschallengebypassed</em> \| <em>bypass</em> \| <em>managedchallenge</em> \| <em>managedchallengenoninteractivesolved</em> \| <em>managedchallengeinteractivesolved</em> \| <em>managedchallengebypassed</em>.
+
+## ClientASN
+
+Type: `int`
+
+The ASN of the visitor.
+
+## ClientASNDescription
+
+Type: `string`
+
+The ASN of the visitor as a string.
+
+## ClientCountry
+
+Type: `string`
+
+Country from which the request originated.
+
+## ClientIP
+
+Type: `string`
+
+The IP address of the visitor (IPv4 or IPv6).
+
+## ClientIPClass
+
+Type: `string`
+
+The classification of the visitor's IP address, possible values are: <em>unknown</em> \| <em>badHost</em> \| <em>searchEngine</em> \| <em>allowlist</em> \| <em>monitoringService</em> \| <em>noRecord</em> \| <em>scan</em> \| <em>tor</em>.
+
+## ClientRefererHost
+
+Type: `string`
+
+The referer host.
+
+## ClientRefererPath
+
+Type: `string`
+
+The referer path requested by the visitor.
+
+## ClientRefererQuery
+
+Type: `string`
+
+The referer query string requested by the visitor.
+
+## ClientRefererScheme
+
+Type: `string`
+
+The referer URL scheme requested by the visitor.
+
+## ClientRequestHost
+
+Type: `string`
+
+The HTTP hostname requested by the visitor.
+
+## ClientRequestMethod
+
+Type: `string`
+
+The HTTP method used by the visitor.
+
+## ClientRequestPath
+
+Type: `string`
+
+The path requested by the visitor.
+
+## ClientRequestProtocol
+
+Type: `string`
+
+The version of HTTP protocol requested by the visitor.
+
+## ClientRequestQuery
+
+Type: `string`
+
+The query string requested by the visitor.
+
+## ClientRequestScheme
+
+Type: `string`
+
+The URL scheme requested by the visitor.
+
+## ClientRequestUserAgent
+
+Type: `string`
+
+The user-agent string of the visitor.
+
+## ContentScanObjResults
+
+Type: `array[string]`
+
+List of content scan results.
+
+## ContentScanObjSizes
+
+Type: `array[int]`
+
+List of content object sizes.
+
+## ContentScanObjTypes
+
+Type: `array[string]`
+
+List of content types.
+
+## Datetime
+
+Type: `int or string`
+
+The date and time the event occurred at the edge. To specify the timestamp format, refer to [Output types](/logs/logpush/logpush-job/log-output-options/#output-types).
+
+## Description
+
+Type: `string`
+
+The description of the rule triggered by this request.
+
+## EdgeColoCode
+
+Type: `string`
+
+The airport code of the Cloudflare data center that served this request.
+
+## EdgeResponseStatus
+
+Type: `int`
+
+HTTP response status code returned to the browser.
+
+## FirewallForAIInjectionScore (deprecated)
+
+Type: `int`
+
+The score indicating the likelihood of a prompt injection attack in the request, as determined by Firewall for AI. Deprecated: Use AISecurityInjectionScore instead.
+
+## FirewallForAIPIICategories (deprecated)
+
+Type: `array[string]`
+
+List of PII categories detected in the request by Firewall for AI. Deprecated: Use AISecurityPIICategories instead.
+
+## FirewallForAITokenCount (deprecated)
+
+Type: `int`
+
+The number of tokens in the request, as counted by Firewall for AI. Deprecated: Use AISecurityTokenCount instead.
+
+## FirewallForAIUnsafeTopicCategories (deprecated)
+
+Type: `array[string]`
+
+List of unsafe topic categories detected in the request by Firewall for AI. Deprecated: Use AISecurityUnsafeTopicCategories instead.
+
+## FraudUserID
+
+Type: `string`
+
+A unique identifier generated by the Fraud Detection system for each user, generated during any action determined by the fraud event type.
+
+## Kind
+
+Type: `string`
+
+The kind of event, currently only possible values are: <em>firewall</em>.
+
+## LeakedCredentialCheckResult
+
+Type: `string`
+
+Result of the check for [leaked credentials](/waf/detections/leaked-credentials/). <br />Possible results are: <em>password_leaked</em> \| <em>username_and_password_leaked</em> \| <em>username_password_similar</em> \| <em>username_leaked</em> \| <em>clean</em>.
+
+## MatchIndex
+
+Type: `int`
+
+Rules match index in the chain. The last matching rule will have MatchIndex <em>0</em>. If another rule matched before the last one, it will have MatchIndex <em>1</em>. The same applies to any other matching rules, which will have a MatchIndex value of <em>2</em>, <em>3</em>, and so on.
+
+## Metadata
+
+Type: `object`
+
+Additional product-specific information. Metadata is organized in key:value pairs. Key and Value formats can vary by Cloudflare security product and can change over time.
+
+## OriginResponseStatus
+
+Type: `int`
+
+HTTP origin response status code returned to the browser.
+
+## OriginatorRayID
+
+Type: `string`
+
+The RayID of the request that issued the challenge/jschallenge.
+
+## RayID
+
+Type: `string`
+
+The RayID of the request.
+
+## Ref
+
+Type: `string`
+
+The user-defined identifier for the rule triggered by this request. Use refs to label your rules individually alongside the Cloudflare-provided RuleID. You can set refs via the [Rulesets API](/ruleset-engine/rulesets-api/) for some security products.
+
+## RuleID
+
+Type: `string`
+
+The Cloudflare security product-specific RuleID triggered by this request.
+
+## Source
+
+Type: `string`
+
+The Cloudflare security product triggered by this request. <br />Possible sources are <em>unknown</em> \| <em>asn</em> \| <em>country</em> \| <em>ip</em> \| <em>iprange</em> \| <em>securitylevel</em> \| <em>zonelockdown</em> \| <em>waf</em> \| <em>firewallrules</em> \| <em>uablock</em> \| <em>ratelimit</em> \| <em>bic</em> \| <em>hot</em> \| <em>l7ddos</em> \| <em>validation</em> \| <em>botfight</em> \| <em>apishield</em> \| <em>botmanagement</em> \| <em>dlp</em> \| <em>firewallmanaged</em> \| <em>firewallcustom</em> \| <em>apishieldschemavalidation</em> \| <em>apishieldtokenvalidation</em> \| <em>apishieldsequencemitigation</em>.
+
+## ZoneName
+
+Type: `string`
+
+The human-readable name of the zone (for example, 'cloudflare.com').